Correctly set CORS header for Stanford Only files #1066
Comments
edsu
changed the title
edsu
changed the title
|
@edsu That documentation is for a |
|
pdfjs has a withCredentials option to send credentials which we would need to set to |
|
Oh, I thought we had switched to the native pdf viewer. |
|
Not yet, alas. A decision has yet to be made, and embedding is a feature flag that is turned on in stage/uat. But you're right, embedding will make this problem go away for PDF. |
|
@edsu What is the decision timeline for the embedding? |
|
Unfortunately, I don't think there is one, unless I'm the last to know. |
|
This depends on what we learn through sul-dlss/sul-embed#1944 and represents another possible solution. |
In order for PDF and 3D Objects to be viewable in sul_embed JavaScript needs to fetch the file (PDF or GLB) from Stacks. This works fine in cases where the file is public. But if the file is Stanford Only the fetch request needs to include credentials (assuming they are logged in) or else the request will be denied.
Unfortunately, it's not possible to send credentials unless Stacks sends
Access-Control-Allow-Origin: embed.stanford.eduin its response instead ofAccess-Control-Allow-Origin: embed.stanford.edu: *. From the MDN docs:It's also important that Stacks send this header ONLY when responding to requests for Stanford Only items. Otherwise JavaScript applications running outside of
embed.stanford.eduwill no longer be able to access public files.It looks to me like the proposed work in #1063 would send the correct CORS header when a Stanford Only file is being sent?This was only for the auth controller, and now for viewing files. But I believe similar logic would be needed to only send the host specific CORS header when an attempt is being made to view a Stanford Only item?See also: sul-dlss/sul-embed#1642
The text was updated successfully, but these errors were encountered: